Independent Test Results - Internet Firewall

Firewall - tough two-way protection

Your personal internet firewall must be able to protect you from the inbound threats like hackers, and from the outbound attacks like Trojans trying to transmit your personal data out. These 20 different tests were performed using independent, publically available freeware, Firewall Leak Tester.

Compared to Norton, McAfee, and Microsoft, ZoneAlarm firewall was the only personal Internet firewall that stopped all 20 attacks.

Compare Firewall Test Results

Tooleaky opens your default web browser with a command line. If the web browser is allowed to access port 80, all data will able to be transmitted to a remote address, possibly including passwords or credit card numbers. If your firewall fails the test, this means that your firewall doesn't checks application that launch others.

FireHole uses your default web browser to transmit data to a remote host. To do this, it installs a DLL file onto your PC in same process space as a trusted application, so it has a greater probability of accessing the Internet stealthily. If your firewall fails this test, then your firewall doesn't control applications that launch others, and is also vulnerable to DLL injection.

Leaktest was designed to test whether just renaming a malicious program with the name of an authorized application could allow it to bypass your firewall. If your firewall fails, then your firewall trusts your applications by there name (characters) instead of by a crypted fingerprint, e.g., MD5 (Message-Digest algorithm 5) which is a widely-used cryptographic hash function with a 128-bit hash value.

On XP all DNS requests from various applications are transmitted to the DNS client (SVCHOST.EXE). This behavior can be used to transmit data to a remote computer by crafting a special DNS request without the firewall noticing it. DNStester uses this kind of DNS recursive request to bypass your firewall. If your firewall fails this test, then your firewall checks too late for DNS requests.

Generally, when an application accesses the Internet, your firewall uses the Windows API to retrieve the parent PID. Ghost changes the PID by shutting itself down and restarting to continue to send data. If your firewall fails this test, then your firewall's parent/child network access monitoring is checking too late.

Generally, when an application accesses the Internet, your firewall uses the Windows API to retrieve the parent PID. Ghost changes the PID by shutting itself down and restarting to continue to send data. If your firewall fails this test, then your firewall's parent/child network access monitoring is checking too late.

Yalta has both a classical test, and an advanced test. The classical test tries to send UDP packets toward ports that are often allowed, e.g., 53 (DNS), 21 (FTP). The advanced test uses a driver to send packets directly to the network interface, going under TCP/IP layer. If your firewall fails this test, then your firewall may allow traffic that you did not initiate on pre-configured ports.

OutBound tries to send TCP packets with a few flags enabled directly to the network, trying to bypass your firewall. To reserve CPU and system resources, many firewalls do not filter these kind of packets. If your firewall fails this test, then your firewall does not check lower than the Windows IP layer, and/or checks only new connections.

Thermite injects it's code into the target process directly by creating an additional malicious thread within that process that is totally invisible to some firewalls. If your firewall fails this test, then your firewall is vulnerable to process injection.

PCAudit2 uses a different DLL injection method than the first version of PCAudit to bypass firewalls that can block PCAudit. If your firewall fails this test, then either your firewall is vulnerable to DLL injection, or your firewall has a DLL injection protection feature that is not efficient.

WallBreaker uses explorer.exe to access the Internet. It includes a variant test which launches cmd.exe which then launch explorer.exe. In another test Wallbreaker sets a scheduled task by using "AT.exe" which in turn executes the task via "svchost", creating a batch file (".bat" extension) with a random filename in your directory.

MBtest sends packets directly to the NIC to try to bypass your firewall. To do this, it sends differents kind of packet, varying size, protocol and type. In theory MBtest could copy needed files by itself without a reboot. If your firewall fails this test, then your firewall may only check high level network traffic, missing low level traffic.

AWFT has 10 tests, including (1) attempting to load a copy of your default browser and patch it in memory before it executes, creating a thread on a loaded copy of your default browser, (2) creating a thread on Windows Explorer, (3) attempting to load a copy of the default browser from within Windows Explorer and patch it in memory before execution, (4) performing an heuristic search for proxies and other software authorized to access the Internet on port 80, then loading a copy and patches it in memory before execution from within a thread on Windows Explorer, and (5) performing an heuristic search for proxies and other software authorized to access the Internet on port 80, then requesting the user to select one of them to create a thread on the select process.

Breakout sends a URL to your Internet Explorere (IE) address bar via the 'SendMessage' Windows API in order to launch. If your firewall fails this test, then your firewall does not check for the 'messages' sent to your applications windows.

Breakout2 creates and HTML page locally that points to its target URL. Then, it enables Active Desktop and sets its HTML page as your desktop wallpaper. If your firewall fails this test, then your firewall does not check for Active Desktop abuse.

CPIL tries to find explorer.exe and patch its memory. Then with the infected explorer.exe, CPIL attempts to transmit data to remote servers using your default browser. If your firewall fails this test, then it may fail to monitor suspicious code injection.

Instead of directly modifying the target process memory, Jumper makes the target load its foriegn DLL by itself. To do so, Jumper writes to the 'AppInit_DLLs' registry entry, and then kills explorer.exe which is reloaded automatically by Windows. Once inside the Jumper DLL modifies your Internet Explorere (IE) start page registry entry with all the data it wants to transmit, and then launches IE. If your firewall fails this test, then your firewall is not monitoring the critical registry entries.

PCFlank uses OLE automation to check how your firewall handles the situation of one program attempting to manage the behavior of another (trusted) program. If your firewall fails this test, then your firewall is leaky and you should take additional measures to secure your computer.

Note: These tests were run using independent, publicly available freeware. The following product versions were used: ZoneAlarm® Internet Security Suite 7.0 beta1, Norton Internet Security Suite v7.1, McAfee Internet Security v9 Trial, MS Windows Live OneCare v1.1.1067.8 with Windows Defender. Believed accurate based on research performed the week of October 26, 2006, this list of leak tests is not exhaustive. Tests were conducted using Windows XP SP2 and all MS Updates. The ZoneAlarm® Program Control was set to Maximum, the setting that most users are in either by default or after a short learning period.

For accurate firewall leak testing, each security product had antivirus (non-firewall) protection turned off. This is because the antivirus feature in some products disabled leak tests for certain threats without actually blocking those threats, which would produce inaccurate leak test results.